source3/smbd/smb2_sesssetup.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Core SMB2 server
   4
   5    Copyright (C) Stefan Metzmacher 2009
   6    Copyright (C) Jeremy Allison 2010
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "smbd/smbd.h"
  24 #include "smbd/globals.h"
  25 #include "../libcli/smb/smb_common.h"
  26 #include "../auth/gensec/gensec.h"
  27 #include "auth.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "../libcli/security/security.h"
  30 #include "../lib/util/tevent_ntstatus.h"
  31
  32 static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
  33                                         struct tevent_context *ev,
  34                                         struct smbd_smb2_request *smb2req,
  35                                         uint64_t in_session_id,
  36                                         uint8_t in_flags,
  37                                         uint8_t in_security_mode,
  38                                         uint64_t in_previous_session_id,
  39                                         DATA_BLOB in_security_buffer);
  40 static NTSTATUS smbd_smb2_session_setup_recv(struct tevent_req *req,
  41                                         uint16_t *out_session_flags,
  42                                         TALLOC_CTX *mem_ctx,
  43                                         DATA_BLOB *out_security_buffer,
  44                                         uint64_t *out_session_id);
  45
  46 static void smbd_smb2_request_sesssetup_done(struct tevent_req *subreq);
  47
  48 NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
  49 {
  50         const uint8_t *inhdr;
  51         const uint8_t *inbody;
  52         uint64_t in_session_id;
  53         uint8_t in_flags;
  54         uint8_t in_security_mode;
  55         uint64_t in_previous_session_id;
  56         uint16_t in_security_offset;
  57         uint16_t in_security_length;
  58         DATA_BLOB in_security_buffer;
  59         NTSTATUS status;
  60         struct tevent_req *subreq;
  61
  62         status = smbd_smb2_request_verify_sizes(smb2req, 0x19);
  63         if (!NT_STATUS_IS_OK(status)) {
  64                 return smbd_smb2_request_error(smb2req, status);
  65         }
  66         inhdr = SMBD_SMB2_IN_HDR_PTR(smb2req);
  67         inbody = SMBD_SMB2_IN_BODY_PTR(smb2req);
  68
  69         in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
  70
  71         in_flags = CVAL(inbody, 0x02);
  72         in_security_mode = CVAL(inbody, 0x03);
  73         /* Capabilities = IVAL(inbody, 0x04) */
  74         /* Channel = IVAL(inbody, 0x08) */
  75         in_security_offset = SVAL(inbody, 0x0C);
  76         in_security_length = SVAL(inbody, 0x0E);
  77         in_previous_session_id = BVAL(inbody, 0x10);
  78
  79         if (in_security_offset != (SMB2_HDR_BODY + SMBD_SMB2_IN_BODY_LEN(smb2req))) {
  80                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  81         }
  82
  83         if (in_security_length > SMBD_SMB2_IN_DYN_LEN(smb2req)) {
  84                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  85         }
  86
  87         in_security_buffer.data = SMBD_SMB2_IN_DYN_PTR(smb2req);
  88         in_security_buffer.length = in_security_length;
  89
  90         subreq = smbd_smb2_session_setup_send(smb2req,
  91                                               smb2req->sconn->ev_ctx,
  92                                               smb2req,
  93                                               in_session_id,
  94                                               in_flags,
  95                                               in_security_mode,
  96                                               in_previous_session_id,
  97                                               in_security_buffer);
  98         if (subreq == NULL) {
  99                 return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 100         }
 101         tevent_req_set_callback(subreq, smbd_smb2_request_sesssetup_done, smb2req);
 102
 103         return smbd_smb2_request_pending_queue(smb2req, subreq, 500);
 104 }
 105
 106 static void smbd_smb2_request_sesssetup_done(struct tevent_req *subreq)
 107 {
 108         struct smbd_smb2_request *smb2req =
 109                 tevent_req_callback_data(subreq,
 110                 struct smbd_smb2_request);
 111         uint8_t *outhdr;
 112         DATA_BLOB outbody;
 113         DATA_BLOB outdyn;
 114         uint16_t out_session_flags = 0;
 115         uint64_t out_session_id = 0;
 116         uint16_t out_security_offset;
 117         DATA_BLOB out_security_buffer = data_blob_null;
 118         NTSTATUS status;
 119         NTSTATUS error; /* transport error */
 120
 121         status = smbd_smb2_session_setup_recv(subreq,
 122                                               &out_session_flags,
 123                                               smb2req,
 124                                               &out_security_buffer,
 125                                               &out_session_id);
 126         TALLOC_FREE(subreq);
 127         if (!NT_STATUS_IS_OK(status) &&
 128             !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 129                 status = nt_status_squash(status);
 130                 error = smbd_smb2_request_error(smb2req, status);
 131                 if (!NT_STATUS_IS_OK(error)) {
 132                         smbd_server_connection_terminate(smb2req->xconn,
 133                                                          nt_errstr(error));
 134                         return;
 135                 }
 136                 return;
 137         }
 138
 139         out_security_offset = SMB2_HDR_BODY + 0x08;
 140
 141         outhdr = SMBD_SMB2_OUT_HDR_PTR(smb2req);
 142
 143         outbody = smbd_smb2_generate_outbody(smb2req, 0x08);
 144         if (outbody.data == NULL) {
 145                 error = smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 146                 if (!NT_STATUS_IS_OK(error)) {
 147                         smbd_server_connection_terminate(smb2req->xconn,
 148                                                          nt_errstr(error));
 149                         return;
 150                 }
 151                 return;
 152         }
 153
 154         SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
 155
 156         SSVAL(outbody.data, 0x00, 0x08 + 1);    /* struct size */
 157         SSVAL(outbody.data, 0x02,
 158               out_session_flags);               /* session flags */
 159         SSVAL(outbody.data, 0x04,
 160               out_security_offset);             /* security buffer offset */
 161         SSVAL(outbody.data, 0x06,
 162               out_security_buffer.length);      /* security buffer length */
 163
 164         outdyn = out_security_buffer;
 165
 166         error = smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
 167                                            __location__);
 168         if (!NT_STATUS_IS_OK(error)) {
 169                 smbd_server_connection_terminate(smb2req->xconn,
 170                                                  nt_errstr(error));
 171                 return;
 172         }
 173 }
 174
 175 static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 176                                         struct smbd_smb2_request *smb2req,
 177                                         uint8_t in_security_mode,
 178                                         struct auth_session_info *session_info,
 179                                         uint16_t *out_session_flags,
 180                                         uint64_t *out_session_id)
 181 {
 182         NTSTATUS status;
 183         bool guest = false;
 184         uint8_t session_key[16];
 185         struct smbXsrv_session *x = session;
 186         struct smbXsrv_connection *xconn = smb2req->xconn;
 187
 188         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 189             lp_server_signing() == SMB_SIGNING_REQUIRED) {
 190                 x->global->signing_required = true;
 191         }
 192
 193         if ((lp_smb_encrypt(-1) > SMB_SIGNING_OFF) &&
 194             (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 195                 x->global->encryption_required = true;
 196         }
 197
 198         if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
 199                 x->global->encryption_required = true;
 200         }
 201
 202         if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 203                 /* we map anonymous to guest internally */
 204                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 205                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 206                 /* force no signing */
 207                 x->global->signing_required = false;
 208                 guest = true;
 209         }
 210
 211         if (guest && x->global->encryption_required) {
 212                 DEBUG(1,("reject guest session as encryption is required\n"));
 213                 return NT_STATUS_ACCESS_DENIED;
 214         }
 215
 216         if (xconn->smb2.server.cipher == 0) {
 217                 if (x->global->encryption_required) {
 218                         DEBUG(1,("reject session with dialect[0x%04X] "
 219                                  "as encryption is required\n",
 220                                  xconn->smb2.server.dialect));
 221                         return NT_STATUS_ACCESS_DENIED;
 222                 }
 223         }
 224
 225         if (x->global->encryption_required) {
 226                 *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
 227         }
 228
 229         ZERO_STRUCT(session_key);
 230         memcpy(session_key, session_info->session_key.data,
 231                MIN(session_info->session_key.length, sizeof(session_key)));
 232
 233         x->global->signing_key = data_blob_talloc(x->global,
 234                                                   session_key,
 235                                                   sizeof(session_key));
 236         if (x->global->signing_key.data == NULL) {
 237                 ZERO_STRUCT(session_key);
 238                 return NT_STATUS_NO_MEMORY;
 239         }
 240
 241         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 242                 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
 243                 const DATA_BLOB context = data_blob_string_const_null("SmbSign");
 244
 245                 smb2_key_derivation(session_key, sizeof(session_key),
 246                                     label.data, label.length,
 247                                     context.data, context.length,
 248                                     x->global->signing_key.data);
 249         }
 250
 251         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 252                 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
 253                 const DATA_BLOB context = data_blob_string_const_null("ServerIn ");
 254
 255                 x->global->decryption_key = data_blob_talloc(x->global,
 256                                                              session_key,
 257                                                              sizeof(session_key));
 258                 if (x->global->decryption_key.data == NULL) {
 259                         ZERO_STRUCT(session_key);
 260                         return NT_STATUS_NO_MEMORY;
 261                 }
 262
 263                 smb2_key_derivation(session_key, sizeof(session_key),
 264                                     label.data, label.length,
 265                                     context.data, context.length,
 266                                     x->global->decryption_key.data);
 267         }
 268
 269         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 270                 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
 271                 const DATA_BLOB context = data_blob_string_const_null("ServerOut");
 272
 273                 x->global->encryption_key = data_blob_talloc(x->global,
 274                                                              session_key,
 275                                                              sizeof(session_key));
 276                 if (x->global->encryption_key.data == NULL) {
 277                         ZERO_STRUCT(session_key);
 278                         return NT_STATUS_NO_MEMORY;
 279                 }
 280
 281                 smb2_key_derivation(session_key, sizeof(session_key),
 282                                     label.data, label.length,
 283                                     context.data, context.length,
 284                                     x->global->encryption_key.data);
 285
 286                 generate_random_buffer((uint8_t *)&x->nonce_high, sizeof(x->nonce_high));
 287                 x->nonce_low = 1;
 288         }
 289
 290         x->global->application_key = data_blob_dup_talloc(x->global,
 291                                                 x->global->signing_key);
 292         if (x->global->application_key.data == NULL) {
 293                 ZERO_STRUCT(session_key);
 294                 return NT_STATUS_NO_MEMORY;
 295         }
 296
 297         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 298                 const DATA_BLOB label = data_blob_string_const_null("SMB2APP");
 299                 const DATA_BLOB context = data_blob_string_const_null("SmbRpc");
 300
 301                 smb2_key_derivation(session_key, sizeof(session_key),
 302                                     label.data, label.length,
 303                                     context.data, context.length,
 304                                     x->global->application_key.data);
 305         }
 306         ZERO_STRUCT(session_key);
 307
 308         x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels,
 309                                                 x->global->signing_key);
 310         if (x->global->channels[0].signing_key.data == NULL) {
 311                 return NT_STATUS_NO_MEMORY;
 312         }
 313
 314         data_blob_clear_free(&session_info->session_key);
 315         session_info->session_key = data_blob_dup_talloc(session_info,
 316                                                 x->global->application_key);
 317         if (session_info->session_key.data == NULL) {
 318                 return NT_STATUS_NO_MEMORY;
 319         }
 320
 321         session->compat = talloc_zero(session, struct user_struct);
 322         if (session->compat == NULL) {
 323                 return NT_STATUS_NO_MEMORY;
 324         }
 325         session->compat->session = session;
 326         session->compat->homes_snum = -1;
 327         session->compat->session_info = session_info;
 328         session->compat->session_keystr = NULL;
 329         session->compat->vuid = session->global->session_wire_id;
 330         DLIST_ADD(smb2req->sconn->users, session->compat);
 331         smb2req->sconn->num_users++;
 332
 333         if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
 334                 session->compat->homes_snum =
 335                         register_homes_share(session_info->unix_info->unix_name);
 336         }
 337
 338         set_current_user_info(session_info->unix_info->sanitized_username,
 339                               session_info->unix_info->unix_name,
 340                               session_info->info->domain_name);
 341
 342         reload_services(smb2req->sconn, conn_snum_used, true);
 343
 344         session->status = NT_STATUS_OK;
 345         session->global->auth_session_info = session_info;
 346         session->global->auth_session_info_seqnum += 1;
 347         session->global->channels[0].auth_session_info_seqnum =
 348                 session->global->auth_session_info_seqnum;
 349         session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
 350         session->global->expiration_time = gensec_expire_time(session->gensec);
 351
 352         if (!session_claim(session)) {
 353                 DEBUG(1, ("smb2: Failed to claim session "
 354                         "for vuid=%llu\n",
 355                         (unsigned long long)session->compat->vuid));
 356                 return NT_STATUS_LOGON_FAILURE;
 357         }
 358
 359         status = smbXsrv_session_update(session);
 360         if (!NT_STATUS_IS_OK(status)) {
 361                 DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 362                           (unsigned long long)session->compat->vuid,
 363                           nt_errstr(status)));
 364                 return NT_STATUS_LOGON_FAILURE;
 365         }
 366
 367         /*
 368          * we attach the session to the request
 369          * so that the response can be signed
 370          */
 371         smb2req->session = session;
 372         if (!guest) {
 373                 smb2req->do_signing = true;
 374         }
 375
 376         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 377
 378         *out_session_id = session->global->session_wire_id;
 379
 380         return NT_STATUS_OK;
 381 }
 382
 383 static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 384                                         struct smbd_smb2_request *smb2req,
 385                                         struct auth_session_info *session_info,
 386                                         uint16_t *out_session_flags,
 387                                         uint64_t *out_session_id)
 388 {
 389         NTSTATUS status;
 390         struct smbXsrv_session *x = session;
 391
 392         data_blob_clear_free(&session_info->session_key);
 393         session_info->session_key = data_blob_dup_talloc(session_info,
 394                                                 x->global->application_key);
 395         if (session_info->session_key.data == NULL) {
 396                 return NT_STATUS_NO_MEMORY;
 397         }
 398
 399         session->compat->session_info = session_info;
 400         session->compat->vuid = session->global->session_wire_id;
 401
 402         session->compat->homes_snum =
 403                         register_homes_share(session_info->unix_info->unix_name);
 404
 405         set_current_user_info(session_info->unix_info->sanitized_username,
 406                               session_info->unix_info->unix_name,
 407                               session_info->info->domain_name);
 408
 409         reload_services(smb2req->sconn, conn_snum_used, true);
 410
 411         session->status = NT_STATUS_OK;
 412         TALLOC_FREE(session->global->auth_session_info);
 413         session->global->auth_session_info = session_info;
 414         session->global->auth_session_info_seqnum += 1;
 415         session->global->channels[0].auth_session_info_seqnum =
 416                 session->global->auth_session_info_seqnum;
 417         session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
 418         session->global->expiration_time = gensec_expire_time(session->gensec);
 419
 420         status = smbXsrv_session_update(session);
 421         if (!NT_STATUS_IS_OK(status)) {
 422                 DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 423                           (unsigned long long)session->compat->vuid,
 424                           nt_errstr(status)));
 425                 return NT_STATUS_LOGON_FAILURE;
 426         }
 427
 428         conn_clear_vuid_caches(smb2req->sconn, session->compat->vuid);
 429
 430         if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
 431                 smb2req->do_signing = true;
 432         }
 433
 434         *out_session_id = session->global->session_wire_id;
 435
 436         return NT_STATUS_OK;
 437 }
 438
 439 struct smbd_smb2_session_setup_state {
 440         struct tevent_context *ev;
 441         struct smbd_smb2_request *smb2req;
 442         uint64_t in_session_id;
 443         uint8_t in_flags;
 444         uint8_t in_security_mode;
 445         uint64_t in_previous_session_id;
 446         DATA_BLOB in_security_buffer;
 447         struct smbXsrv_session *session;
 448         struct auth_session_info *session_info;
 449         uint16_t out_session_flags;
 450         DATA_BLOB out_security_buffer;
 451         uint64_t out_session_id;
 452         /* The following pointer is owned by state->session. */
 453         struct smbd_smb2_session_setup_state **pp_self_ref;
 454 };
 455
 456 static int pp_self_ref_destructor(struct smbd_smb2_session_setup_state **pp_state)
 457 {
 458         (*pp_state)->session = NULL;
 459         /*
 460          * To make things clearer, ensure the pp_self_ref
 461          * pointer is nulled out. We're never going to
 462          * access this again.
 463          */
 464         (*pp_state)->pp_self_ref = NULL;
 465         return 0;
 466 }
 467
 468 static int smbd_smb2_session_setup_state_destructor(struct smbd_smb2_session_setup_state *state)
 469 {
 470         struct smbXsrv_connection *xconn;
 471         struct smbd_smb2_request *preq;
 472
 473         /*
 474          * If state->session is not NULL,
 475          * we move the session from the session table to the request on failure
 476          * so that the error response can be correctly signed, but the session
 477          * is then really deleted when the request is done.
 478          */
 479
 480         if (state->session == NULL) {
 481                 return 0;
 482         }
 483
 484         state->session->status = NT_STATUS_USER_SESSION_DELETED;
 485         state->smb2req->session = talloc_move(state->smb2req, &state->session);
 486
 487         /*
 488          * We own the session now - we don't need the
 489          * tag talloced on session that keeps track of session independently.
 490          */
 491         TALLOC_FREE(state->pp_self_ref);
 492
 493         /*
 494          * We've made this session owned by the current request.
 495          * Ensure that any outstanding requests don't also refer
 496          * to it.
 497          */
 498         xconn = state->smb2req->xconn;
 499
 500         for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
 501                 if (preq == state->smb2req) {
 502                         continue;
 503                 }
 504                 if (preq->session == state->smb2req->session) {
 505                         preq->session = NULL;
 506                         /*
 507                          * If we no longer have a session we can't
 508                          * sign or encrypt replies.
 509                          */
 510                         preq->do_signing = false;
 511                         preq->do_encryption = false;
 512                 }
 513         }
 514
 515         return 0;
 516 }
 517
 518 static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq);
 519 static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq);
 520 static void smbd_smb2_session_setup_auth_return(struct tevent_req *req);
 521
 522 /************************************************************************
 523  We have to tag the state->session pointer with memory talloc'ed
 524  on it to ensure it gets NULL'ed out if the underlying struct smbXsrv_session
 525  is deleted by shutdown whilst this request is in flight.
 526 ************************************************************************/
 527
 528 static NTSTATUS tag_state_session_ptr(struct smbd_smb2_session_setup_state *state)
 529 {
 530         state->pp_self_ref = talloc_zero(state->session,
 531                         struct smbd_smb2_session_setup_state *);
 532         if (state->pp_self_ref == NULL) {
 533                 return NT_STATUS_NO_MEMORY;
 534         }
 535         *state->pp_self_ref = state;
 536         talloc_set_destructor(state->pp_self_ref, pp_self_ref_destructor);
 537         return NT_STATUS_OK;
 538 }
 539
 540 static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
 541                                         struct tevent_context *ev,
 542                                         struct smbd_smb2_request *smb2req,
 543                                         uint64_t in_session_id,
 544                                         uint8_t in_flags,
 545                                         uint8_t in_security_mode,
 546                                         uint64_t in_previous_session_id,
 547                                         DATA_BLOB in_security_buffer)
 548 {
 549         struct tevent_req *req;
 550         struct smbd_smb2_session_setup_state *state;
 551         NTSTATUS status;
 552         NTTIME now = timeval_to_nttime(&smb2req->request_time);
 553         struct tevent_req *subreq;
 554
 555         req = tevent_req_create(mem_ctx, &state,
 556                                 struct smbd_smb2_session_setup_state);
 557         if (req == NULL) {
 558                 return NULL;
 559         }
 560         state->ev = ev;
 561         state->smb2req = smb2req;
 562         state->in_session_id = in_session_id;
 563         state->in_flags = in_flags;
 564         state->in_security_mode = in_security_mode;
 565         state->in_previous_session_id = in_previous_session_id;
 566         state->in_security_buffer = in_security_buffer;
 567
 568         if (in_flags & SMB2_SESSION_FLAG_BINDING) {
 569                 if (smb2req->xconn->protocol < PROTOCOL_SMB2_22) {
 570                         tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
 571                         return tevent_req_post(req, ev);
 572                 }
 573
 574                 /*
 575                  * We do not support multi channel.
 576                  */
 577                 tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
 578                 return tevent_req_post(req, ev);
 579         }
 580
 581         talloc_set_destructor(state, smbd_smb2_session_setup_state_destructor);
 582
 583         if (state->in_session_id == 0) {
 584                 /* create a new session */
 585                 status = smbXsrv_session_create(state->smb2req->xconn,
 586                                                 now, &state->session);
 587                 if (tevent_req_nterror(req, status)) {
 588                         return tevent_req_post(req, ev);
 589                 }
 590         } else {
 591                 if (smb2req->session == NULL) {
 592                         tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
 593                         return tevent_req_post(req, ev);
 594                 }
 595
 596                 state->session = smb2req->session;
 597                 status = state->session->status;
 598                 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
 599                         status = NT_STATUS_OK;
 600                 }
 601                 if (NT_STATUS_IS_OK(status)) {
 602                         state->session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 603                         status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 604                         TALLOC_FREE(state->session->gensec);
 605                 }
 606                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 607                         tevent_req_nterror(req, status);
 608                         return tevent_req_post(req, ev);
 609                 }
 610         }
 611
 612         status = tag_state_session_ptr(state);
 613         if (tevent_req_nterror(req, status)) {
 614                 return tevent_req_post(req, ev);
 615         }
 616
 617         if (state->session->gensec == NULL) {
 618                 status = auth_generic_prepare(state->session,
 619                                               state->smb2req->xconn->remote_address,
 620                                               &state->session->gensec);
 621                 if (tevent_req_nterror(req, status)) {
 622                         return tevent_req_post(req, ev);
 623                 }
 624
 625                 gensec_want_feature(state->session->gensec, GENSEC_FEATURE_SESSION_KEY);
 626                 gensec_want_feature(state->session->gensec, GENSEC_FEATURE_UNIX_TOKEN);
 627
 628                 status = gensec_start_mech_by_oid(state->session->gensec,
 629                                                   GENSEC_OID_SPNEGO);
 630                 if (tevent_req_nterror(req, status)) {
 631                         return tevent_req_post(req, ev);
 632                 }
 633         }
 634
 635         become_root();
 636         subreq = gensec_update_send(state, state->ev,
 637                                     state->session->gensec,
 638                                     state->in_security_buffer);
 639         unbecome_root();
 640         if (tevent_req_nomem(subreq, req)) {
 641                 return tevent_req_post(req, ev);
 642         }
 643         tevent_req_set_callback(subreq, smbd_smb2_session_setup_gensec_done, req);
 644
 645         return req;
 646 }
 647
 648 static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq)
 649 {
 650         struct tevent_req *req =
 651                 tevent_req_callback_data(subreq,
 652                 struct tevent_req);
 653         struct smbd_smb2_session_setup_state *state =
 654                 tevent_req_data(req,
 655                 struct smbd_smb2_session_setup_state);
 656         NTSTATUS status;
 657
 658         become_root();
 659         status = gensec_update_recv(subreq, state,
 660                                     &state->out_security_buffer);
 661         unbecome_root();
 662         TALLOC_FREE(subreq);
 663         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 664             !NT_STATUS_IS_OK(status)) {
 665                 tevent_req_nterror(req, status);
 666                 return;
 667         }
 668
 669         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 670                 state->out_session_id = state->session->global->session_wire_id;
 671                 /* we want to keep the session */
 672                 state->session = NULL;
 673                 TALLOC_FREE(state->pp_self_ref);
 674                 tevent_req_nterror(req, status);
 675                 return;
 676         }
 677
 678         status = gensec_session_info(state->session->gensec,
 679                                      state->session->global,
 680                                      &state->session_info);
 681         if (tevent_req_nterror(req, status)) {
 682                 return;
 683         }
 684
 685         if ((state->in_previous_session_id != 0) &&
 686              (state->session->global->session_wire_id !=
 687               state->in_previous_session_id))
 688         {
 689                 subreq = smb2srv_session_close_previous_send(state, state->ev,
 690                                                 state->smb2req->xconn,
 691                                                 state->session_info,
 692                                                 state->in_previous_session_id,
 693                                                 state->session->global->session_wire_id);
 694                 if (tevent_req_nomem(subreq, req)) {
 695                         return;
 696                 }
 697                 tevent_req_set_callback(subreq,
 698                                         smbd_smb2_session_setup_previous_done,
 699                                         req);
 700                 return;
 701         }
 702
 703         smbd_smb2_session_setup_auth_return(req);
 704 }
 705
 706 static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq)
 707 {
 708         struct tevent_req *req =
 709                 tevent_req_callback_data(subreq,
 710                 struct tevent_req);
 711         NTSTATUS status;
 712
 713         status = smb2srv_session_close_previous_recv(subreq);
 714         TALLOC_FREE(subreq);
 715         if (tevent_req_nterror(req, status)) {
 716                 return;
 717         }
 718
 719         smbd_smb2_session_setup_auth_return(req);
 720 }
 721
 722 static void smbd_smb2_session_setup_auth_return(struct tevent_req *req)
 723 {
 724         struct smbd_smb2_session_setup_state *state =
 725                 tevent_req_data(req,
 726                 struct smbd_smb2_session_setup_state);
 727         NTSTATUS status;
 728
 729         if (state->session->global->auth_session_info != NULL) {
 730                 status = smbd_smb2_reauth_generic_return(state->session,
 731                                                          state->smb2req,
 732                                                          state->session_info,
 733                                                          &state->out_session_flags,
 734                                                          &state->out_session_id);
 735                 if (tevent_req_nterror(req, status)) {
 736                         return;
 737                 }
 738                 /* we want to keep the session */
 739                 state->session = NULL;
 740                 TALLOC_FREE(state->pp_self_ref);
 741                 tevent_req_done(req);
 742                 return;
 743         }
 744
 745         status = smbd_smb2_auth_generic_return(state->session,
 746                                                state->smb2req,
 747                                                state->in_security_mode,
 748                                                state->session_info,
 749                                                &state->out_session_flags,
 750                                                &state->out_session_id);
 751         if (tevent_req_nterror(req, status)) {
 752                 return;
 753         }
 754
 755         /* we want to keep the session */
 756         state->session = NULL;
 757         TALLOC_FREE(state->pp_self_ref);
 758         tevent_req_done(req);
 759         return;
 760 }
 761
 762 static NTSTATUS smbd_smb2_session_setup_recv(struct tevent_req *req,
 763                                         uint16_t *out_session_flags,
 764                                         TALLOC_CTX *mem_ctx,
 765                                         DATA_BLOB *out_security_buffer,
 766                                         uint64_t *out_session_id)
 767 {
 768         struct smbd_smb2_session_setup_state *state =
 769                 tevent_req_data(req,
 770                 struct smbd_smb2_session_setup_state);
 771         NTSTATUS status;
 772
 773         if (tevent_req_is_nterror(req, &status)) {
 774                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 775                         tevent_req_received(req);
 776                         return nt_status_squash(status);
 777                 }
 778         } else {
 779                 status = NT_STATUS_OK;
 780         }
 781
 782         *out_session_flags = state->out_session_flags;
 783         *out_security_buffer = state->out_security_buffer;
 784         *out_session_id = state->out_session_id;
 785
 786         talloc_steal(mem_ctx, out_security_buffer->data);
 787         tevent_req_received(req);
 788         return status;
 789 }
 790
 791 static struct tevent_req *smbd_smb2_logoff_send(TALLOC_CTX *mem_ctx,
 792                                         struct tevent_context *ev,
 793                                         struct smbd_smb2_request *smb2req);
 794 static NTSTATUS smbd_smb2_logoff_recv(struct tevent_req *req);
 795 static void smbd_smb2_request_logoff_done(struct tevent_req *subreq);
 796
 797 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
 798 {
 799         NTSTATUS status;
 800         struct tevent_req *subreq = NULL;
 801
 802         status = smbd_smb2_request_verify_sizes(req, 0x04);
 803         if (!NT_STATUS_IS_OK(status)) {
 804                 return smbd_smb2_request_error(req, status);
 805         }
 806
 807         subreq = smbd_smb2_logoff_send(req, req->sconn->ev_ctx, req);
 808         if (subreq == NULL) {
 809                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
 810         }
 811         tevent_req_set_callback(subreq, smbd_smb2_request_logoff_done, req);
 812
 813         /*
 814          * Wait a long time before going async on this to allow
 815          * requests we're waiting on to finish. Set timeout to 10 secs.
 816          */
 817         return smbd_smb2_request_pending_queue(req, subreq, 10000000);
 818 }
 819
 820 static void smbd_smb2_request_logoff_done(struct tevent_req *subreq)
 821 {
 822         struct smbd_smb2_request *smb2req =
 823                 tevent_req_callback_data(subreq,
 824                 struct smbd_smb2_request);
 825         DATA_BLOB outbody;
 826         NTSTATUS status;
 827         NTSTATUS error;
 828
 829         status = smbd_smb2_logoff_recv(subreq);
 830         TALLOC_FREE(subreq);
 831         if (!NT_STATUS_IS_OK(status)) {
 832                 error = smbd_smb2_request_error(smb2req, status);
 833                 if (!NT_STATUS_IS_OK(error)) {
 834                         smbd_server_connection_terminate(smb2req->xconn,
 835                                                         nt_errstr(error));
 836                         return;
 837                 }
 838                 return;
 839         }
 840
 841         outbody = smbd_smb2_generate_outbody(smb2req, 0x04);
 842         if (outbody.data == NULL) {
 843                 error = smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 844                 if (!NT_STATUS_IS_OK(error)) {
 845                         smbd_server_connection_terminate(smb2req->xconn,
 846                                                         nt_errstr(error));
 847                         return;
 848                 }
 849                 return;
 850         }
 851
 852         SSVAL(outbody.data, 0x00, 0x04);        /* struct size */
 853         SSVAL(outbody.data, 0x02, 0);           /* reserved */
 854
 855         error = smbd_smb2_request_done(smb2req, outbody, NULL);
 856         if (!NT_STATUS_IS_OK(error)) {
 857                 smbd_server_connection_terminate(smb2req->xconn,
 858                                                 nt_errstr(error));
 859                 return;
 860         }
 861 }
 862
 863 struct smbd_smb2_logoff_state {
 864         struct smbd_smb2_request *smb2req;
 865 };
 866
 867 static void smbd_smb2_logoff_shutdown_done(struct tevent_req *subreq);
 868
 869 static struct tevent_req *smbd_smb2_logoff_send(TALLOC_CTX *mem_ctx,
 870                                         struct tevent_context *ev,
 871                                         struct smbd_smb2_request *smb2req)
 872 {
 873         struct tevent_req *req;
 874         struct smbd_smb2_logoff_state *state;
 875         struct tevent_req *subreq;
 876
 877         req = tevent_req_create(mem_ctx, &state,
 878                         struct smbd_smb2_logoff_state);
 879         if (req == NULL) {
 880                 return NULL;
 881         }
 882         state->smb2req = smb2req;
 883
 884         subreq = smb2srv_session_shutdown_send(state, ev,
 885                                                smb2req->session,
 886                                                smb2req);
 887         if (tevent_req_nomem(subreq, req)) {
 888                 return tevent_req_post(req, ev);
 889         }
 890         tevent_req_set_callback(subreq, smbd_smb2_logoff_shutdown_done, req);
 891
 892         return req;
 893 }
 894
 895 static void smbd_smb2_logoff_shutdown_done(struct tevent_req *subreq)
 896 {
 897         struct tevent_req *req = tevent_req_callback_data(
 898                 subreq, struct tevent_req);
 899         struct smbd_smb2_logoff_state *state = tevent_req_data(
 900                 req, struct smbd_smb2_logoff_state);
 901         NTSTATUS status;
 902
 903         status = smb2srv_session_shutdown_recv(subreq);
 904         if (tevent_req_nterror(req, status)) {
 905                 return;
 906         }
 907         TALLOC_FREE(subreq);
 908
 909         /*
 910          * As we've been awoken, we may have changed
 911          * uid in the meantime. Ensure we're still
 912          * root (SMB2_OP_LOGOFF has .as_root = true).
 913          */
 914         change_to_root_user();
 915
 916         status = smbXsrv_session_logoff(state->smb2req->session);
 917         if (tevent_req_nterror(req, status)) {
 918                 return;
 919         }
 920
 921         /*
 922          * we may need to sign the response, so we need to keep
 923          * the session until the response is sent to the wire.
 924          */
 925         talloc_steal(state->smb2req, state->smb2req->session);
 926
 927         tevent_req_done(req);
 928 }
 929
 930 static NTSTATUS smbd_smb2_logoff_recv(struct tevent_req *req)
 931 {
 932         return tevent_req_simple_recv_ntstatus(req);
 933 }